The (Security) Times, They Are A-Changin’ – Make Way for MFA and the New Security Era

Three years ago, a WIRED cover story declared the password dead. This was just after the famous personal identity hack of the reporter, Mat Honan.

“Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account,” the article explained. “The age of the password has come to an end; we just haven’t realized it yet.”

Fast forward three years and, yep, we have realized this new era of security. Many companies fell victim to data breaches since that 2012 WIRED cover story, and security has quickly risen to the top of businesses’ minds. It’s become crystal clear that passwords alone are not enough protection.

In fact, 51 percent of top executives are concerned about security as a challenge in adopting digital technologies. And they’re doing something about it: As our Businesses @ Work report found, the classic “security question” (What’s your mother’s maiden name?) is becoming less and less popular as a form of verification, dropping 14 percent since April 2014. We’ve also seen a 40 percent increase year-over-year of companies moving to protect their apps with MFA.

If the WIRED story got anything wrong, it’s the myth that you need to make a tradeoff between convenience and privacy. At Okta, we believe strong security doesn’t have to come at the expense of great user experience, as long as you have the right tools in place – including MFA to protect your apps and corporate assets.

There are four key ingredients to a security environment that’s both effective and convenient for users:

Contextual access: Access policies should allow, restrict, require step-up authentication, or deny access based on the user, device and other considerations like network, location or type of application. For example, a company should automatically require step-up authentication if an employee requests access from a device they’ve never used before.

Wide selection of second factors (that people actually want to use): Encourage easy, secure access for everyone by offering user-friendly factors like push notifications, SMS, and hardware tokens like YubiKey.

Proactive protection: Data-driven proactive security is the best kind of security. By controlling access based on historical user behavior, organizations can detect suspicious activity and also avoid unnecessary verification prompts. For example, there’s no need to require a remote employee to verify his identity every day from his home office – but it is wise to prompt for MFA if he or she logs in from a new remote location.

Integration with all apps and VPNs: For ultimate security, integrate with a broad set of apps and network infrastructure – both cloud and on-premises – to centrally enforce MFA and protect applications that don’t natively support second factors. Data breaches cost an average of $3.8 million, so eliminate all coverage gaps to reduce your chances of getting hacked.

An IT environment that’s not only secure, but also user-friendly? You can have it all. Learn more here.

Advertisements
Posted in Uncategorized | Tagged , | Leave a comment

How to automatically change the Local Administrator user password

With all of the security breaches these days, these simple and easy configuration/deployment changes can automate the change of local administrator password servers and workstations, and make them less vulnerable to attack. So I decided to share this with you guys.

To do this you need to follow this article to implement the Local administrator user password: 

In my implementation of Local admin password management I have made some customisations.

The Domain Admins and the users to the AD group “AdminPassword Read” that I have created, will have access to see the password of the Local Administrator of the servers and workstation. This password will be change every 30 days and store the password on the Active Directory.

I have also created a Policy named Admpwd that contains the following settings:

I have created an application on the SCCM 2012 named “Local admin password management”, but you can also set GPO to perform the installation. I have also created a deployment collection with a dynamic query to be deployed on all servers/workstations, which tell the local administrator password to be changed automatically.

The application command to perform the installation is:

  • AdmPwd.Setup.x64.msi” /q
  • AdmPwd.Setup.x86.msi” /q

And the deployment option, in my case, was this one:

  • Install and Required
  • Hide in Software Center and all Notifications

After the AdmPwd is installed on the machines, you are ready to go.

To view the password

To check or request a reset of the password, we need to install the Admpwd software that you can download here:

Open the AdmPwd UI tool with administrative rights, and insert the computer name and click Search:

You can also see the password using PowerShell:

Get-AdmPwdPassword -ComputerName <computername>

Resetting the password

To manually reset the password, just click the Set button in AdmPwd UI tool. When a Group Policy refresh runs, password will be reset. You can also plan password expiration for the future. To do so, enter desired expiration date/time into respective field.

You can also reset the password using PowerShell:

Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>

If we want to reset it immediately, do not use this one:

Reset-AdmPwdPassword -ComputerName <computername>

With this solution, you will have a central and secure management of the workstation local administrator account, and we can provide this password to someone in need, and change it after with a distant of one click.

Hope you guys enjoying this feature.

Posted in Uncategorized | Tagged , , , | Leave a comment

Lync 2010 hybrid configuration with Skype for Business Online

Everything is moving towards cloud solutions these days, and so is Lync/Skype for Business. This is the quick way to federate your existing Lync 2010 environment with Skype for Business online, to start migrating Lync 2010 users to the cloud.

Lync 2010 On-Premise:

The FrontEnd server needs to be upgraded to CU from March 2013 or later. Latest CU updates are available here. The Edge server should be upgraded to same version.

DNS Records:

Ensure that you have the following DNS record:

SRV  _sip._tls.DomainName.com (TCP: 5061)  sip.DomainName.com

Office 365 tenant:

To enable federation in the Office 365 tenant, go to the Skype for Business admin center and set external access to “On except for blocked domains”, as shown below.

Skype for Business administrative tools:

Since Lync 2010 is not directly compatible with Skype for Business online, we need to download and install Skype for Business administrative tools. These tools need to be installed on a member server outside the Lync 2010 topology.

From Skype for Business Server Management Shell check the access edge configuration and configure if necessary.

  • Get-CsAccessEdgeConfiguration. Verify that “AllowOutsideUsers”, “AllowFederatedUsers” are both true and that routing method is “UseDnsSrvRouting”.
  • If not run Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -UseDnsSrvRouting

From Skype for Business Server Management Shell, check if the Lync hosting provider is configured and modify if needed.

  • Get-CsHostingProvider –Identity LyncOnline
  • It should look like this

Configure the Skype for Business online tenant for shared SIP address space:

Download and install the Skype for Business online PowerShell module from here.

Establish a PowerShell session with Skype for Business online:

  • Run PowerShell as administrator.
  • Import-Module LyncOnlineConnector
  • $cred = Get-Credential and input your Office 365 administrator account credentials.
  • $CSSession = New-CsOnlineSession -Credential $cred
  • Import-PSSession $CSSession –AllowClobber
  • And finally Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

Moving users to Skype for Business online:

First we need to get the hosted migration url. Go to your Office 365 and Skype for Business admin center. Copy the url from there up until “lync.com”. It should look similar to “https://admin0a.online.lync.com”. Append “/HostedMigration/hostedmigrationservice.svc” so the whole url should look like “https://admin0a.online.lync.com/HostedMigration/hostedmigrationservice.svc”

From Skype for Business Server Management Shell run

  • Move-CsUser -Identity username -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl <url>
  • Input the credentials for your Office 365 administrator account.
  • When the user is moved, go the user page in your Skype for Business admin center and check if the user is there.

Now you are ready to begin testing the migrated user.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Enabling remote Powershell on workgroup computers

Using remote Powershell on workgroup computers is disabled by default. This is how to enable it at the host and the client.

Host

At the host that we want to reach with Powershell, we need to enable the Win-RM service. This is easily done like this:

  • Run Powershell as administrator

  • Run the command “Enable-PSRemoting” and answer Yes to all the questions.

  • To add a bit of security, restrict the firewall rule to only allow traffic from the IP address of the Client that we want to do the remote Powershell from. This can be done with this command:

    Set-NetFirewallRule -DisplayName “Windows Remote Management (HTTP-In)” -RemoteAddress “192.168.0.223”

    The IP address in the end of the command is the address of the Client. This is not needed to get things working, but just a safety precaution.

Client

At the client, we need to tell Powershell that we trust the Host that we want connection to. To add the Host to the trusted host-list, do this:

  • Run Powershell as administrator

  • Run the command:

    “Set-Item WSMan:\localhost\Client\TrustedHosts -Value “192.168.0.10” “

    The IP address in the end of the command is the address of the Host.

    Answer Yes to the question/s.

If you get this error: ​

Run the command ”Start-Service winrm” and then the Set-Item… command again.

In case you want to trust connections to all hosts, just replace the IP address with a wildcard *, like this:

“Set-Item WSMan:\localhost\Client\TrustedHosts -Value “*” “

Now we are ready to connect to the Host through Powershell!

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

Microsoft Office 2013 – Creating a .MSP file with specific installation criteria, using Office Customization Tool and how to prepare it for deployment in SCCM

This is a “how-to guide” and describes how to prepare Microsoft Office 2013 to be installed unattended using the OCT. The purpose of this it to create, while at the same time prepare the installation source folder for deployment for the use of System Center 2012 Configuration Manager.

First, you need to download the OCT here.

  • Install the version of Admin Templates that you desire (Depends on system version)
  • Extract the Office 2013 Admin templates files into the source files of Offices 2013

Creating the .MSP using OCT

  • Copy all content from the Microsoft Office 2013 DVD to a source share of your choice: \\SCCM1Server\Source\Applications\Microsoft Office Professional Plus 2013 ENU\DT-MSI_x86\

NOTE: You will have to create a subfolder for each deployment

  • Start the Office Customization Tool (OCT), by running “Setup.exe /admin” from the source folder as shown below:

  • Click “OK” to the UAC if it is required, then verify the version of Office that you want to use with the OCT, as shown below (Without 64-bit version), and press “OK” again:

  • Press “OK” to the desired version, a pop-up window will appear with 3 available options and the default choice would be “Keep Current Settings” but for this example I will use the second option and press “OK, as shown below:

  • When you are in the OCT Wizard, you can customise all the available settings that you can see – You can modify if the icons from MS Office should be created on the desktop or not, just to give an easy but yet useful feature. You can customise and configure everything that you can find in the Wizard.

​BUT for this installation I will configure what is needed to make the installation unattended, as well as to provide a more simplified user experience, when they install the application from the System Center 2012 Application Catalog.

  • Select where to install the files on source location and specify the​ organisation name, as shown below:

.​

  • Select “Licensing and user interface”, and select “I accept the terms in the License Agreement”. In the Display level, select Basic, and select both Suppress modal, and No cancel, as shown below:

  • Select “Modify Setup properties”, and click “Add”, in the “Add/Modify Property Value” dialog box add the following information, and click “OK”, as shown in exhibit below:

  • ​If you also want to disable the Office 2013 Welcome screen, select “Modify user settings”, expand “Microsoft Office 2013, Privacy” and “Trust Center”. Then select “Disable Opt-In Wizard on first” and double click on the setting and finally, select “Enable”

  • Now you just need to save the .MSP file in the Updates folder of the Source folder location and you are done – Press “File”, and then save the file as described above and shown below

  • Now you prepared the source folder for unattended installation, and when you run “Setup.exe”, from the source folder, the installation will be 100% silent, if customized correctly.

Creating and deploying the application

In this section it will be described how you create an application using System Center 2012 Configuration Manager, and how to deploy it after creation.

First off you will need to have access to a functioning Configuration Manager Administration Console and the user logged in, must have permissions to create and of cause deploy applications.

  • In the Configuration Manager Console, navigate to Software Library -> Overview -> Application Management -> Applications

  • In the top menu press “Create Application”

  • In the Create Application Wizard, verify that “Automatically detect information” is selected and that the Type is Windows Installer (*.msi file), and click “Browse” as shown below

  • Navigate to the source folder (by using the UNC share path used earlier) and select the “ProPlusWW.msi” file, and click “Open”

  • On the General page of the Create Application Wizard page, click “Next” and Verify that the imported information is correct, and that the import was successful, and click “Next”
  • On the General Information page, verify that the Name is displayed like you would prefer to see it in the Console. Fill-in the Manufacturer (Microsoft), and the Software version (2013) as shown below:

  • In the installation program, delete the default and type “Setup.exe”. The verify that the Install behavior is set to “Install for System” then click “Next”

  • Click “Next” on the summary page and on the completion page. You need to verify if the application was imported with success, when verified, press “Next”
  • In the Configuration manager console, select the application and press “Deployment Types” as shown in exhibit below

  • Right-click the deployment type Microsoft Office Professional Plus 2013 – Windows Installer, and select Properties

  • Select the current tab and change the content location, by removing the “\proplusww” in the end of the pre-configured location, from the start

  • Select the “Programs” tab and change the Uninstall program to “Setup.exe /uninstall”

  • Navigate to the Detection Method tap and verify that the MSI detection code has been created

  • Now that the Office 2013 application has been created, once again navigate to “Software Library -> Overview -> Application Management -> Applications” and select the one you just created

  • Select “Deploy” under the “Home” tab

  • When under the General tab, press “Browse” and the target collection that you want the application deployed to (In this example I just targeted “All Users” followed up by pressing “Next”

  • In the content tab, Click “Add” and choose desired Distribution Point or group and press “OK”

  • Click “Next” and afterwards click “Next” 6 times and then “Close” to complete the wizard and the deployment of the application is now done and the User Experience should look like this, when opening the “Application Catalog”

Posted in Uncategorized | Tagged , , , , , | Leave a comment

Dell Command | Integration Suite for System Center

Basically The Dell Command | Integration Suite for System Center 2012 extends Configuration Manager to provide easier management for Dell hardware models like Optiplex, Precision, Latitude, and Tablet series running the following Operating Systems: Windows7, Windows 8.x and Windows 10.

Dell Integration Suite for System Center offers three major tools to help import manage and distribute Dell drivers using System Center Configuration Manager.

  • Dell customized boot images

Using the GUI provided by the integration suite combined with Dell’s WinPE driver cabs you can easily import Dell WinPE drivers into your existing boot image or create a clean image only containing Dell WinPE drivers. This is an easy way to prepare for e.g. a hardware vendor change or simply keep your boot images up to date. Currently, Dell driver cabs supports the following versions of WinPE: 2.x, 3.x, 4.x, 5.x and 10.

  • Dell driver packs

Integrating new driver packs is easier and less time-consuming using the integration suite. From Dell’s driver cab download page it is possible to download cab family packs or specific hardware model packs. These driver packs contain driver support for one or multiple hardware models and both x86 and x64 architecture for each Windows operative system. Using the GUI provided by the integration suite it is possible to choose and pick between hardware models, operative system architecture, and pick distribution points before creating the driver package. When the creation/distribution process is complete, the driver pack and the individual drivers are provided with timestamp, model, architecture, driver pack version and operative system. The driver packs and drivers have now been sorted, labeled, and are ready to use within your current task sequence.

  • Dell customised task sequence

Along with the GUI’s provided for boot images and driver packs, the integration suite offers a “predefined” MDT-like Dell task sequence. This task sequence includes tools from the Dell Custom Script package, predefined Bitlocker steps and steps to manage the BIOS both pre- and post installation of operative system. The executable BIOS configuration files are created and exported using Dell Configure Standalone tool or executed command line, directly in the task sequence (PowerShell).

To sum up, Dell Command | Integration Suite for System Center 2012 is an excellent tool to accomplish some of the everyday tasks in a more efficient and faster way than System Center 2012 offers itself.

Download sources

Download Integration Suite for System Center 2012.

Download WinPE and model specific driver cabs.

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

Software is Eating the World – Don’t Get Eaten

CIOs are moving up in the world. We’re seeing IT leaders taking on strategic business roles, getting promoted to CEO and appointed as board members. And it’s no coincidence.

A fitting motto for the modern CIO is the adage, “Times of great change also bring great opportunity.” The new world of mobile apps, cloud services, and the Internet of Things is reshaping how all industries get business done. What’s more, technology-first market newcomers are challenging incumbents with radically new user experiences and business models. Uber has laid the traditional taxi dispatch model to waste, Airbnb has brought automation, distribution and scale to a cottage industry of vacation rentals, and JustEat keeps a healthy, high quality and economical meal just a few taps away.

In this new world order, IT is the function that’s best positioned to help businesses stay competitive. As a result, the CIO is increasingly expected to take responsibility for organization-wide goals like sales growth, stepped up efficiency, maximized productivity, and improved customer experiences. This puts heavy pressure on established enterprises to adapt, replacing legacy business models, processes, and experiences with technology-enabled ones. It’s up to IT leaders to drive that adaption, and they must do so quickly – otherwise, software will eat them alive.

Take Adobe, for example. Over the past three years, CIO Gerri Martin-Flickinger and her IT team have been central in evolving Adobe from a software product company into a services business. Martin-Flickinger has led key decisions involving subscription pricing, release cycle timing and sales engagement models – all considerations that looked drastically different from, or weren’t considerations at all – when Adobe shipped its products in boxes.

Transformation stories like Adobe’s point to the increasing necessity of CIOs to step up to the plate. IT’s expanded new role is forward-thinking, and that means today’s CIOs must thrive in the face of challenges. When the sales department requests a new application to better manage customer interactions, when operations asks to automate service processes or when an organization is transitioning from a hardware company to a service business, it’s IT that must deliver.

More than ever before, IT professionals have the opportunity to lead high value initiatives, both large and small, that are fundamental to business. They are revenue generators in their own right, and it’s increasingly their responsibility to embrace such a role. In this way, an alternative title for the CIO might be “Chief Business Enabler.”

Of course, the rising IT opportunity doesn’t come without challenges. When you put more technology in the hands of employees, customers, partners, and suppliers, you must also find new approaches for the management, governance, security, and administration of these new tools. Here at Okta, we are continually inspired by IT leaders who see the massive opportunities in cloud and mobile and strive to transform organizations, products, and services to make their companies better. No matter your function, it’s time to invite your CIO out for lunch. Bon appétit!

SOURCE: OKTA

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment